Announcement

Collapse
No announcement yet.

GPO's don't get applied after blocking access to root dc's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO's don't get applied after blocking access to root dc's

    Hello

    I am trying to secure our networks and have segregated our active directory tree into corresponding Vlans. So we have a three level tree ...

    root.com = Vlan 1
    mid.root.com = Vlan 2
    cust1.mid.root.com = Vlan 3

    W2003 R2

    I am applying an ACL (sort of firewall) between each Vlan with the following rules.

    All DC's can get to each other.
    Non DC's in Vlan 3 cannot get to vlan 1 or 2.

    Problem :

    When I log into a member server in cust1.mid.root.com I get errors in the event log stating that the the machine cannot get to the root DC for GPO processing.

    1. 1005 - Windows cannot connect to root.com domain. (Server Down). Group Policy processing aborted.

    2. 1030 - Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

    Question :

    1. Why is the GPO processing engine looking to the root.com domain when the GPO objects are in the local (cust1.mid.root.com) domain?

    2. How can I force to look only at the local domain?

    Thanks for any assistance in this.

  • #2
    Re: GPO's don't get applied after blocking access to root dc's

    Does AD Sites and Services include the new subnets? Does each subnet have a GC?

    Comment


    • #3
      Re: GPO's don't get applied after blocking access to root dc's

      Thanks for the promt resonse.

      All DC's are GC's and all subnets are set up against the relevant sites.

      Comment


      • #4
        Re: GPO's don't get applied after blocking access to root dc's

        Is DNS AD integrated? Is there DNS on each site and are DHCP settings/static network settings set correctly?

        Edit: Also, have you tried running replmon, dcdiag and netdiag to check communication.

        Comment


        • #5
          Re: GPO's don't get applied after blocking access to root dc's

          Hello,

          Yes DNS is on every DC and is AD integrated. There are no issues with replication as the DC's can all talk to each other ditto with all other diagnostics. The only issue is that the member server is contacting root.com for the list of GPO's but cannot get there becasue I am blocking it.

          Thanks again.

          Comment


          • #6
            Re: GPO's don't get applied after blocking access to root dc's

            What services does the member server have? I wonder if it needs access to the 2 x Forest FSMO roles for some reason? I am not entirely sure whether to process Group Policy access to the Forest FSMO role holders is required.

            I take it the server is a member of the domain of the subnet it is located in?

            Comment


            • #7
              Re: GPO's don't get applied after blocking access to root dc's

              Yes the member server is a member of the domain in the same subnet. I doubt that the FSMO's are involved.

              I think the issue is to do with how it query's for the list of GPO's in the domain. I think it is making an LDAP query and is binding to root.com. I have tried googling this but all the results are about the GPO gubbings not how the server looks for and applies them.

              Thanks again.

              Comment


              • #8
                Re: GPO's don't get applied after blocking access to root dc's

                Two questions:

                1. Do the member servers have the child domain DNS servers set as their DNS servers?

                2. Do you hace AD Sites & Services set up for each subnet (VLAN)?

                Comment


                • #9
                  Re: GPO's don't get applied after blocking access to root dc's

                  Edited cause I didn't read your post correctly

                  Comment


                  • #10
                    Re: GPO's don't get applied after blocking access to root dc's

                    Originally posted by joeqwerty View Post
                    Two questions:

                    1. Do the member servers have the child domain DNS servers set as their DNS servers?

                    2. Do you hace AD Sites & Services set up for each subnet (VLAN)?
                    1. Yes, the member servers point to their local DNS servers.
                    2. Yes, Sites and Service is configured and happy.

                    Thanks for your assistance.

                    Comment


                    • #11
                      Re: GPO's don't get applied after blocking access to root dc's

                      Are there Global Catalog servers in each VLAN?

                      Comment


                      • #12
                        Re: GPO's don't get applied after blocking access to root dc's

                        I take it your member server in VLAN3 is a member of the child domain?

                        When you log on to the member server are you logging on to the child or root domain?

                        Comment


                        • #13
                          Re: GPO's don't get applied after blocking access to root dc's

                          Originally posted by joeqwerty View Post
                          Are there Global Catalog servers in each VLAN?
                          Hello yes there are. I might be worth reviewing some of the posts below, as they may answer your questions.

                          Thanks for the help though.

                          Comment


                          • #14
                            Re: GPO's don't get applied after blocking access to root dc's

                            Originally posted by Hanley View Post
                            I take it your member server in VLAN3 is a member of the child domain?

                            When you log on to the member server are you logging on to the child or root domain?
                            Hello,

                            You are correct the member server is a member of cust1.mid.root.com domain in vlan3 which is also the domain that I am logging into.

                            Thanks.

                            Comment


                            • #15
                              Re: GPO's don't get applied after blocking access to root dc's

                              What's the DNS configuration on Member Server 3 - is it pointing to a DNS server in ROOT or CHILD domain as it's preferred DNS server?

                              Have you ran NETDIAG and DCDIAG on your DC in the cust1.mid.root.com??

                              Comment

                              Working...
                              X